Cookiebot is a consent management platform from Usercentrics that uses an auto-blocking mechanism to prevent non-essential scripts from loading before consent. Disclosing it accurately in a privacy policy means explaining its role as consent infrastructure and verifying that its auto-blocking mechanism actually works for all scripts on your site.
Last reviewed by Lokker Privacy Engineering
Not legal advice
The example language on this page is provided for educational purposes only. It is not legal advice and does not create an attorney-client relationship. Privacy laws vary by jurisdiction, sector, and the specific technologies you deploy. Always have a qualified privacy counsel or attorney review your privacy policy language to ensure it accurately reflects your actual data practices and complies with applicable law. Policy text alone does not make you compliant: your technical controls must match what the policy describes.
Data collection
This is what your privacy policy needs to describe. Be specific: vague references to "usage data" or "technical information" are not sufficient in most jurisdictions.
Visitor consent decisions (accepted categories, rejected categories, timestamp) stored in the CookieConsent cookie
Cookie scan results for the Cookiebot dashboard
Banner interaction data (accept, decline, configure choices)
Domain and subdomain configuration data
Cookiebot infrastructure cookies: CookieConsent and CookieConsentBulkTicket
Processing purposes
Privacy laws require you to specify the purpose for each category of data processing. These are the purposes typically associated with Cookiebot.
Recording and applying visitor cookie consent decisions
Automatically blocking non-essential scripts before consent
Providing a preference center for visitors to update consent
Automated cookie scanning and classification
Generating consent records for regulatory documentation
Jurisdiction notes
These are representative notes, not exhaustive legal guidance. Laws continue to evolve and your counsel should review the current requirements for each jurisdiction where your visitors reside.
United States
Cookiebot consent infrastructure is Strictly Necessary for managing compliance obligations. The CookieConsent cookie stores functional preference data required for legal compliance. For CCPA, Cookiebot can be configured to treat GPC signals as opt-out and to present appropriate opt-out notices to California visitors.
EU and UK (GDPR)
Under the GDPR, Cookiebot processes consent decisions as a data processor and does not itself require a separate consent to operate. Your policy should describe Cookiebot as consent management infrastructure and note that it is operated by Usercentrics A/S. Usercentrics acquired Cookiebot and provides a unified DPA. The CookieConsent cookie is Strictly Necessary.
Example language
The examples below are starting points for discussion with legal counsel. They are not approved or jurisdiction-complete language. Your policy must accurately reflect your actual technical configuration and comply with the laws of the jurisdictions where your visitors reside.
Consent management infrastructure row
Cookiebot (Usercentrics A/S): Consent management platform that presents the cookie consent banner, records your preferences, and automatically blocks non-essential scripts before consent is given. Stores your decisions in the CookieConsent cookie. Category: Strictly Necessary (consent infrastructure).
Cookiebot consent platform disclosure paragraph
We use Cookiebot, a cookie consent management platform provided by Usercentrics A/S, to manage your preferences regarding cookies and tracking technologies used on this website. Cookiebot presents our cookie consent banner, records your consent decisions, and uses automatic script blocking to prevent non-essential tracking tools from loading until you have given your consent. Your preferences are stored in the CookieConsent cookie, which is classified as Strictly Necessary because it is required for the consent mechanism to function. Cookiebot does not use your consent preference data for advertising or profiling. You can update your preferences at any time by clicking the Manage Cookies link in the footer. Cookiebot processes consent data as a data processor under a data processing agreement with Usercentrics A/S.
Configuration checklist
An accurate policy is only useful if the technical controls behind it work correctly. These are the configuration points to verify for Cookiebot.
Cookiebot itself is Strictly Necessary and will load regardless of visitor consent, as it is the mechanism for recording that consent.
Review Cookiebot's auto-blocking coverage. Cookiebot's script blocking works for scripts it can identify and re-write via its script tag modification mechanism. Scripts loaded dynamically or via server-side injection may not be blocked automatically.
Configure GPC detection in Cookiebot for California visitors. GPC should trigger automatic opt-out of non-essential categories.
Keep the Cookiebot domain scanner updated. Run a fresh scan after significant site updates to ensure newly added cookies are classified and displayed in the consent dialog.
Use Consent Validator to verify that Cookiebot's auto-blocking is effectively preventing non-essential scripts from loading. Auto-blocking can fail for scripts with unusual load patterns or those injected by other scripts.
Policy vs practice
These are common gaps between Cookiebot privacy policy language and what actually happens in the browser. Checking only inside each SaaS admin (CMP, tag manager, or vendor console) rarely answers whether the full stack works together. Lokker tests from the outside: consent state, tag firing, and network requests viewed as one system.
What the policy says
Policies state that Cookiebot automatically blocks all non-essential scripts until the visitor provides consent.
Policies describe Cookiebot's cookie scanner as maintaining a complete and current list of all cookies used on the site.
Policies confirm that GPC signals are honored and that Cookiebot automatically treats GPC as an opt-out for California visitors.
What Lokker validates
Cookiebot's auto-blocking modifies script tags it recognizes. Dynamically injected scripts, scripts loaded via document.write, and scripts introduced by other scripts can bypass auto-blocking. Lokker tests whether any non-essential endpoints are contacted before consent in the no-interaction state.
The Cookiebot scanner identifies cookies present during a single automated crawl. Conditional cookies that appear only after login, after conversion events, or from third-party scripts injected by other scripts may be missed. Lokker discovers cookies and network calls across multiple interaction states.
Cookiebot's GPC support requires explicit configuration. Lokker sends a GPC signal and verifies whether Cookiebot triggers the correct opt-out consent state and whether non-essential scripts are blocked as a result.
Consent Validator tests your site from the outside, not inside each vendor admin. It runs automated flows across accept, reject, no-interaction, and GPC states and checks whether Cookiebot loads through your CMP and tag manager, whether consent signals are honored, and whether any call to that vendor still occurs when the visitor has opted out.
Questions
References
Regulatory guidance, enforcement decisions, and legal cases referenced on this page.
Regulatory guidance
European Data Protection Board
UK Information Commissioner's Office
Explore further
Same category
Validate technical compliance
Confirm that Cookiebot's auto-blocking is working as documented and that non-essential scripts are not loading before the consent decision is recorded.